Cross scripting (XSS) vulnerability with Access Manager Identity Server

  • 3615264
  • 05-Jan-2007
  • 26-Apr-2012

Environment


Novell Access Management 3 Linux Novell Identity Server
Authentication enabled (LDAP, mutual, nmas and radius)

Situation

When authenticating to an Access Manager Identity server, it is possible to maliciously inject a script to cause the authentication to fail. We can dup this by sending the following request to the Identity server, specifically targetting a vulnerability in the'IssueInstant' parameter as shown ...

GET /nidp/idff/sso?RequestID=1234&IssueInstant=

If an invalid IssueInstant parameter is passed in then the following error message is generated:

Unable to complete authentication request.
Cause/Code: Unable to parse provided XML date

Additionally in the error message it will print out the value passed in by the IssueInstant parameter.

The value should be HTML encoded to prevent the XSS vulnerability.

Resolution

Apply the Identity server builds 3.0.0-1013 shipped with Access Manager SP1 IR1. This patch will also be included in the Access Manager 3 SP1 build. It fixes the issueInstant parameter for cross site scripting issues by removing the malicious html content in the message.

Status

Security Alert

Feedback service temporarily unavailable. For content questions or problems, please contact Support.